Weekly spam summary for August 13th, 2005
Overall SMTP connections are running at twice the expected rate, at 246,000 SMTP connections although only from the usual 33,000 different IP address. The SMTP frontend hit a highwater of 18 simultaneous connections during the week.
Kernel level IP filtering:
Host/Mask Packets Bytes 22.214.171.124 11909 572K 126.96.36.199 8186 393K 188.8.131.52 8148 391K 184.108.40.206 7206 346K 220.127.116.11/24 6916 330K 18.104.22.168/13 5395 262K 22.214.171.124/24 4953 257K 126.96.36.199/11 4875 238K 188.8.131.52/12 4774 245K 184.108.40.206/10 4627 226K
This week is an impressive one for individual accomplishment; we had
some very determined would-be callers. 220.127.116.11 got into our IP
level filtering by being in dnsbl.njabl.org; everyone else was very
eager to give us a bad SMTP
HELO greeting. 18.104.22.168 made a
prior appearance in SpamAftermath-2005-07-30; 22.214.171.124 showed
up all the way back in IPReject-2005-06-18.
Connection-time rejections run:
24776 total 11386 dynamic IP 8050 bad or no reverse DNS 1347 class bl-spews 1284 class bl-cbl 573 class bl-dsbl 506 class bl-ordb 372 class bl-sbl 264 class bl-njabl 67 class bl-sdul 4 class bl-opm
These are up somewhat over last week. Unlike last week, there are no really big single sources that account for the jump in SPEWS.
On the unscientific basis of the number of different places sending us bad HELO greetings and SMTP bounces to nonexistent local users, we are being very actively forged as a spam origin once again. The numbers are up dramatically from last week:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Other systems show (if anything) a semi-significant decrease in spam and bounces.
Those amusing Referer spammers
One form of blog spam is 'Referer' spam.
Referer is the (optional)
HTTP header included in requests from web browsers to web servers that
contains the web page that the link to your page was on. Some blog
software uses this header as a lower-tech version of
Referer spam has the attraction for the spammers that it's dirt simple to do. All their software has to do is to make an ordinary HTTP request for a page or three on a web site and throw in a Referer header. No need to talk XML to a specific URL or anything like that.
As a result, Referer spammers appear willing to hit any web site without bothering to check whether their attempts work (this is like many mass attacks on the Internet; when the cost of the attack is so low, why bother being clever?). So, of course, they've wound up hitting CSpace.
What I suspect is that the Referer spammers are doing Google searches for web pages that already mention spam domains (perhaps particular ones), as a quick crude way of finding vulnerable web pages. Most of the time this works out okay, but it gets tripped up by web pages that discuss spam domains.
An analysis of my spammer
Looking at recent Referer spam, I got spam for excellent-health.com, casino-attraction.com, and cash-net.biz. Although they claim to be registered to different bogus places, they all seem to touch base with something variously called 'support2000.net', 'support-2000.net', and 'top-support.net'. They also all use the same two nameservers under various names, at the IP addresses 126.96.36.199 and 188.8.131.52.
184.108.40.206/24 is owned by 'Uplink Systems' under 'Hollywood Interactive, Inc' and is routed by ATMLINK (AS7796). 220.127.116.11 is part of a large WebStream Inc block and is SBL listed (SBL17672), for being in a /25 labeled as owned by Traffix.
The web sites themselves are all currently hosted at the IP address 18.104.22.168, part of 'ANET Internet Solutions' in the US, and its /27 is listed in the SBL as SBL24359 for being part of the Rokso-listed 'Brian Kramer / Expedite Media Group' grouping.
The IP addresses making the Referer spam requests don't seem to be listed in any DNS blocklist I routinely look at.
Some quick Googling suggests that these domains also engage in other sorts of blog spam, and that all three of these IP addresses are already well known for their spam involvement. (Yet they remain connected. Such is today's Internet, unfortunately.)